Fueled by the growth of Internet, more and more private, commercial and governmental organizations strive to interact, conduct business, and provide various services electronically that go beyond merely providing access to information. Individuals share files through e-mails, personal websites and exchange information in online chat rooms. Small and large business provide plethora of online services including virtual retail and wholesale stores, personal electronic banking and investment services, online reservation services, etc. Government agencies also utilize widespread public access to Internet to provide such online services as renewal of driver licenses, electronic filing of taxes and even patent applications. Thus, the Internet has become more than just a pipeline for sending data, it has become a medium for conducting electronic transactions that promise speed and high throughput.
As the frequency and complexity of online business transactions grow, the task of assuring the security and reliability of such transactions becomes increasingly difficult. High throughput or speed often results in reduced security and even security breaches. For instance, a typical online purchase transaction may involve a buyer requesting purchase of particular goods; a seller checking availability of the goods; the buyer transmitting billing information to the seller; the seller billing buyer's credit card or bank account; the seller requesting shipment of goods from a delivery service, and finally shipping the goods. If this process is required to be speeded up, then it is imperative that the buyer provide confidential information over the Internet to the seller or alternatively the seller limit sales to alternatively authenticated buyers, such as existing customers, or offer goods under control of another Web retailing site such as Amazon.com and the like. The seller could also ship goods or provide access to services on little more than a prayer and a hope. In the event there is a dispute, there is no clear method for determining the nature of the transaction other the records of each of the parties themselves.
Moreover, due to significant back-end processing conducted by each party in the course of a complex electronic transaction, a virus or a hacker attack or a failure of an application, system or network may disrupt any part of the transaction with the result that one or more parties may be unsure of their rights and remedies or the status of the transaction. Faced with such a disruption, there is no clear method for determining the nature of the disruption and its effect on the transaction other than the records of the parties themselves.
To mitigate these problems, parties to the electronic business transaction sometimes rely on trusted-third-party services. Usually such a service includes one or more of certification of a transaction, authentication of the parties, distribution of data encryption/decryption algorithms, distribution of secret information, recording of the transaction details and arbitration of disputes between the parties concerning the authenticity of the communication. There are drawbacks to the use of such third parties since, for example, the recording of the transaction details by the third party results in the third party having access to confidential information as well. In addition, the need to record and respond to voluminous information requires significant investment in infrastructure, such as server banks, and bandwidth on part of the participants and the third parties. As a result, the choice of suitable third parties worthy of such trust is rather limited with the risk of future conflicts of interest while being accompanied by significant performance and cost penalties.
There are some patents describing the use of such third parties. For instance, in U.S. Pat. Nos. 5,790,677 and 6,560,581, a trusted third party is used as a credential binding authority to register parties to a transaction and then to authenticate them using their registration information when a transaction is initiated. Thus, the credentialing party is privy to the otherwise confidential information about all of the parties in the subsequent transaction. Moreover, the parties subsequently exchange commercial documents and information but with little recourse if any particular communication fails. Thus, if an offer was made then the party making the offer may not know whether a delay in receiving an acceptance is due to a network problem or due to a rejection of the offer.
In U.S. Pat. No. 6,199,052, a trusted third party acts as an intermediary and a non-repudiation authority that prevents either party to a transaction from denying receiving a message that has actually been received. In U.S. Pat. No. 6,327,656, a trusted third party certifies e-mail transmissions for subsequent verification and authentication. In both of these patents, the trusted third party has a significant amount of information about the transacting parties. Further, in the event of a suspected breach it is not clear if the breach has actually happened. For instance, the problem of knowing whether a message has actually reached a party or a network failure has taken place may prevent one or more parties from acting in a timely manner. While this may not be a serious drawback in the context of low throughput transactions, in a high throughput transaction context this could be a serious and costly impediment.
Further, the prior art third parties could themselves be commercial entities that if provided access to confidential commercial information may present a security risk that is only heightened if they are also storing or archiving such information. The concern with the unfettered access to credit card and identifying information due to the bankruptcy of many web-based companies is another example of the danger posed by third parties having too much information. Yet another example is the archiving of text messages by text messaging service providers due to the possibility of contested bills despite the security risk posed by such a cache, which may be a target for unauthorized or unexpected access for reasons unrelated to establishing a transaction. Moreover, such an abundance of information may further load the networks, reduce efficiency and may reduce the possible throughput rate for electronic transactions that may require additional investment in resources to provide a required transaction handling capacity. Thus, asking far too much or too little of third parties or trusted intermediaries presents additional problems.
Although prior art apparatus and methods address some security aspects of electronic transactions, such as privacy, authentication and access control, they are still unreliable when an anomaly in the expected flow of electronic transaction occurs. Specifically, none of the above methods or systems adequately enable the trusted third party to resolve issues that might arise due to a disrupted transaction due to the lack of technical means to timely detect and act on the knowledge of such disruptions. For instance, in the case of certified e-mail, if an e-mail reached its destination but a certificate of the transmission has been lost for one of the above reasons, the sender will be inclined to retransmit the e-mail assuming it never reached its destination. Depending on the circumstances, such retransmission may have unintended, and sometimes disastrous, results: if, for example, the original e-mail was directed to a stock broker with a request to purchase certain number of share of stock, and it was received and request was processed, the second e-mail making the same request may result in unintended purchase of additional shares of stock. Accordingly, the prior art trusted-third-party solutions, such as e-mail certification, are unreliable because they leave one or more parties guessing as to the cause of a disruption rather than flagging a disruption to allow a rapid response the transacting parties.